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1. INTRODUCTION 

Today, peer-to-peer (P2P) is as an architecture for sharing a wide range of media on the Internet. 
P2P traffic represents about 27% to 60% of the total Internet traffic, depending on geographic location [1], 
[2]. The high volume of P2P traffic is due to file sharing, video streaming, on-line gaming and other activities 
that client-server architecture cannot accomplish as fast or as efficient as the P2P architecture. Rapid 
progression of P2P traffic volume throughout the years have resulted in deteriorated network performance 
and congestion due to the high bandwidth consumption of P2P applications [3]. Therefore, traffic 
identification is required to improve traffic management. 

First generation P2P application traffic were relatively easy to be identified due to the use of fixed 
ports numbers. However, current P2P applications are able to circumvent port-based identification by using 
anonymous port numbers or port disguise [4], [2]. Besides, methods that rely on inspecting application 
payload signatures have also been proposed [5]. For privacy and impractical reasons, this method is 
ineffective. The effectiveness of the port-based and payload-based methods prompted the use of flow 
statistics as features for traffic identification. These strategies offer flexibility to detect P2P traffic compared 
to using signature-based and port-based methods. 

Several techniques have been proposed over the last two decades that focused on the attainable 
identification accuracy using several machine learning (ML) algorithms. However, the impact of exploring 
the effect of distinct sets of statistical features has not been researched in-depth. Work in [6] has reported that 
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feature selection is a vital task to improve the classification and identification performance compared to 
selection of the classification algorithm. Presently, several feature selection algorithms have been introduced, 
e.g., [7]-[11]. However, most of the introduced methods do not consider the impact of integrating online 
features with inter-arrival time (IAT) for online P2P classification. 

This paper proposes an approach based on analytic methods one-way analysis of variance and 
incremental traffic classification algorithm. One-way analysis of variance is implemented using KNAME 
tool and Hoeffding Tree incremental machine learning algorithm is implemented using MOA (Massive On- 
line Analysis) tool in order to investigate the impact of packet IAT feature for online P2P classification. 

The remainder of this paper is organized as follows. Section 2 introduces related works including 
ML concepts, traffic classification and feature selection. Section 3 discusses the methodology to investigate 
the impact of packet inter-arrival time feature for online P2P classification. The experimental setup, result 
and discussion are discussed in Section 4. Section 5 presents the conclusion. 


2. RELATED WORK 

Machine learning (ML) is apromising technique that has been used for data mining and knowledge 
discovery [12]. Unsupervised learning strategies basiclly clusters flows with similar parttern behaviour. 
Supervised learning needs a set of labeled data to train its model in advance for identification and 
classification of data [12]. 

Classification using flow features mainly deploys machine learning to perform training and 
classification. From the extracted flow features, the classifier predicts the class of new flow. This process is 
called a data mining problem. The first work using this technique was by [13]. Generally, classification can 
be performed in three steps, extracting the features, selection of feature and generating classifier [14]. 

Moore et al. [15] has suggested 249 features that can be potentially used in ML traffic identification. 
However most of these features can only be obtained in an off-line mode. Off-line features such as maximum 
and minimum bytes in packet only can be obtained with complete flows. Work in [16] employed all 249 
features suggested in [15] derived from packet streams consisting of one or more packet headers. Most of 
these features cannot be extracted online from live traffic for online traffic identification. 

Feature selection (FS) is used to select optimal subset features from the input which can efficiently 
describe the input data while reducing effects from irrelevant or noise features yet still provide good 
prediction of its class [7], [17]. Traffic identification can be improved with reference to computational 
performance and accuracy by using the most relevant features [18]. 

Loo et al. [8] proposed 12 online features without features related time. Monemi et al. [19] has 
proposed 35 real-time flow features that can be easily extracted from flow records. These flows include 
number of packets, port address, protocol, overall Transmission Control Protocol (TCP) flags, average 
volume in byte, volume in byte per packet, flow duration, payload volume in byte, flow duration, average 
number of packet per second, average volume in byte per second, average payload volume in byte per 
second, average payload volume in byte per packet, and average time interval. Erman ef al. [16] has 
performed backward greedy search on various datasets and found that the use of time-related features such as 
duration, IAT and flow throughput are not useful in traffic classification. 

Online features techniques have been proposed in [7], [20]. These works used Cambridge datasets 
and Naive Bayes to evaluate two feature selection algorithms named Bias Coefficient Results (BFS) and 
Selected Online Feature. These works achieved accuracy of 90.9296 and 93.2096, respectively. Besides, the 
work in [7] has considered IAT as one of the proposed on-line features. 

Most researches have focused on online features with IAT as suggested in [7], [11], [19], [21]. 
However, the impact of packet inter-arrival time feature for online P2P classification still plays an important 
role for accurate and timely classification. 


3. OVERVIEW OF THE METHODS 

Our proposed method to invisticate the impact of packet IAT feature for online P2P classification 
consist of two main stages, test the signficance of packet IAT feature and investigate the impact of packet 
IAT feature for online P2P identification with reference to accuracy, kappa statistic and time. The first stage 
one-way analysis of variance analytics using KNAME tool to test the signficance of IAT. In the second stage, 
Hoeffding Tree incremental machine learning algorithm is implemented in MOA tool. All stages will be 
discussed in details in Section 3.1. Figure 1 shows the overview of the proposed method to investigate the 
impact of packet IAT feature for online P2P classification. 
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Figure 1. Proposed method 


3.1. Techniques for analyzing features 

Konstanz Information Miner (Knime) is a recent open-source data analytics platform that allows for 
undertaking complete statistics and data mining analysis. One-way ANOVA is implemented in KNIME 
benchmark [22]. WEKA workspace tools also is used for classification [23]. One-way ANOVA is the most 
effective method available for analyzing the more complex data sets [24]. In this work, we computed the F- 
statistic using ANOVA. Equations (5) and (1) represents sum of square (SS) in ANOVA. While the sum of 
squares for Treatment (SST) is given by Equation (2). Sum of squares for Error (SSE) is computed using 
Equation (3). The Variance between Treatments (MST) is computed by Equation (4). The VarianceWithin 
Treatments (MSE) is computed using Equation (5). F-statistic is obtained by dividing MST to MSE is given 
by Equation (6). Using 95% confidence interval for mean difference, ANOVA is calculated as: 
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Then 

SS = SSE + SST (4) 
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Ms =< 6) 
SSE 

MSE = xci (6) 

Thus, with ANOVA test null hypothesis (Hg): 44 = Ha = © = py, which means that there are no treatment 


effects. Where y bar is the samples mean, n is the sample size, o) is the specified population mean. 

Massive Online Analysis (MOA) [25]: MOA is a data stream mining suite that was written in Java. 
Userscan use MOA using Graphic User Interface (GUI) or through command lines. Different from WEKA 
[23] whichis for batch data mining, MOA specializes on processing and analyzing data streams. The suite 
includes evaluation tools such as concept drift evaluation, and interleave-test-then-train evaluation. It is also 
built with a collection of data stream identification techniques such as Naive Bayes, Hoeffding Tree, Bagging 
and Boosting techniques. In this paper, MOA is used to analyze the impact of integrating online features with 
IAT for online P2P classification. 


4. EXPERIMENTAL SETUP, RESULTS AND DISCUSSION 
This section, presents and dicusses the network traffic datasets used and the evaluation method used 
to evaluate the impact of integrating online features with inter-arrival time for online P2P classification. 
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4.1. Dataset 
Network traces are used to validate the performance of the proposed technique. These datasets are 

PAM [26], UNIBS [27] and Cambridge [15]. Table 1 summarizes the used datasets, which the description of 

each dataset as follows: 

a. PAM traces was captured in Aalborg University from 25th February 2013 to 1st May 2013 and reported 
in [26]. The label of the dataset was collected using Volunteer-Based System (VBS). A total of 1,262,022 
flows were captured, where 535,438 flows were labeled as reported in [26]. However, only 339,061 flows 
could be used as most flows have less than five packets and the netflow and feature extractor modules 
only extract flows that contain five packets or more. By using the provided information files, the flows 
are labeled into four classes: WEB, FTP, P2P, and Others. 

b. The UNIBS datasets [27] were obtained from a series of workstations at the University of Bresciafrom 
30" September 2016 to 2nd October 2016. The traces are collected on edge router, where the traffic was 
generated by 20 workstations running GT toolset. In this work, the traces were processed using netflow 
and feature extractor based on 1 minutes timeout and flows with a minimum of five packets are extracted. 
A total of 77,303 flows are extracted and all flows features are extracted based on only the first five 
packets of each flow. The accompanied groundtruth labels, were use to classify flows into five classes, 
P2P, Skype, Web, Others, and Mail. 

c. The Cambridge datasets were obtained from traces captured on the Genome Campus network in August 
2003 in the University of Cambridge [15]. There are ten different datasets each from a different period of 
the 24-hour day. These datasets consist of TCP flow. Furthermore, every flow sample is high dimensional 
since it contains 248 features. The dataset applications with negligible classes such as games and 
interactive were excluded as it is insufficient for training and testing. These include classes such as FTP- 
Pasv, Attack, P2P, Database, Multimedia, Web, Mail, FTP-Control, and Services. 


Tabel 1. Datasets Statistics 


UNIBS PAM Cambridge 
Flow instances 77,303 339,061 397,030 
#Classes 5 4 10 
#Flow features extracted 9 9 9 


4.1.1. Dataset preprocessing 

Online features are extracted and online features with IAT and without IAT as suggested in our 
previous work [28] are selected. For the UNIBS and PAM datasets, the features are extracted based on the 
first five packets statistic of each flow. However, for the Cambridge dataset, the statistics of the first 5 
packets are not available without access to the raw packets. Thus, for this dataset, the complete flow statistic 
is used (not only first 5 packets). In order to have a fair comparison of all datasets, the mean features in 
Cambridge dataset are modified to total features. Table 2 shows the list of feature that had been extracted. 


Table 2. Online features with IAT 


# Name Description 

1 Port_a Source port number 

2 Port_b Port b Destination port number 

3 Ply_size_ba Total byte in IP packet(Downlink) 

4 Ply_size Total byte in IP packet 

5 Pck_size_ba Total byte in Ethernet packet(Downlink) 
6 Pck_size Total byte in Ethernet packet 

7 iat_ba Total packet inter-arrival time(downlink) 
8 Tat Total packet inter-arrival time 

9 Class Protocol 


4.1.2. Evalution 

Prequential evaluation using fading factors forgetting mechanism proposed by Gama ef al. [29] is 
adopted as the evaluation method. This method is suitable for evaluating incremental learning algorithm. The 
prequential parameters used in our experiment are as stated below, unless specified otherwise: 
a. Classifier to train: Hoeffding Tree 
b. Stream to learn from: PAM, Cambridge and UNIBS dataset 
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c. Training and testing on a total of 250,000 samples for PAM and Cambridge, while UNIBS 50000 
samples. 
. Testing every two hundred samples 
e. Instances between memory bound checks: 193,000 samples for PAM and Cambridge, while UNIBS 
40000 samples 
f. Evaluate Prequential Parameters: Window Classification Performance Evaluator 
Size of sliding is 1,000 
The performance indicators used in this research are classification time (T,), Kapaa statistic K= 1 
and average accuracy (Acc). Average accuracy is the overall accuracy for a dataset. Let the total correct 
identification in a dataset with (JV) flow instances is rj. The performance indicators used in this paper are: 


Acc — A x 100% (7) 
— Do- De 
peru (8) 


while pg: classifier's prequential accuracy p, is: probability of correct prediction. Kappa has preferable 
properties such that value of 1 with perfect agreement (pg — 1) is used. The value approximately zero when 
the observed agreement is almost the same as would be expected by chance (pp > Pe). Furthermore, Kappa 
statistic does not assume marginal probabilities to be the same for different observers. 


4.2. One-way ANOVA test results 

This subsection explains the significant of selected features by using ANOVA test with 95% 
confidence interval for the mean difference. The result explains all selected features are significant because 
after tested with ANOVA the P-value less than 0.05. Also, this test explains the IAT features are less 
significant than other features as shown in Figure 2. 


4.3. Online classification results 
The experimental results presented in Figure 3 to Figure 8, illustrate the effect of IAT inclusion as 
an online feature for P2P identification. The result as presented in Table 3 indicates that packet IAT feature 
as online feature decreases identification accuracy and Kapaa statistic. Furthermore, packet IAT feature 
increases the experimental evaluation time. This is as a result of packet IAT feature morphing which involves 
alternation on direction pattern which is dependent on network locations. Also these results prove previous 
offline studies that: 
a. Time-related features do not help to distinguish among applications [20], [30]. 
b. The use and statistical features of application dependent only on inter-packet time is a challenging task 
due to the time required by an application to generate and transfer packets to the transport layer is masked 
by the fact that additional time is added due to the network conditions and the TCP layer [31]. 


Table 3. Classification Results 


Cambridge Online features without IAT Online features with IAT 
Accuracy mean 98.86 98.80 
Kappa statistic mean 59.46 59.46 
CPU total time per second mean 1.41 2.28 
UNIBS dataset Online features without IAT Online features with IAT 
Accuracy mean 94.13 93.15 
Kappa statistic mean 87.87 86.16 
CPU total time per second mean 0.51 0.74 
PAM dataset Online features without IAT Online features with IAT 
Accuracy mean 92.42 92.22 
Kappa statistic mean 17.71 15.42 
CPU total time per second mean 1.56 1.82 
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Figure 2. Screen shot of test statistic ANOVA 
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Figure 3. UNIBS dataset mean classification accurcay 
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Figure 4. UNIBS dataset mean kapaa statistic 


Int J Elec & Comp Eng, Vol. 8, No. 4, August 2018 : 2521 — 2530 


Int J Elec & Comp Eng ISSN: 2088-8708 O 2527 


SOUS ee ST UN S WS NW X Ow OR RR SR OS OS ON ON 
saan tme (pu seconds) wthoutiar B] Change... | 
| evaluation me (cousecands) wih aT change... | 


Figure 5. UNIBS dataset evalution time 
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Figure 6. PAM dataset mean classification accurcay 
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Figure 7. PAM dataset mean kapaa statistic 
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5. CONCLUSION 


In this paper, we investigated the impact of packet IAT feature for online P2P classification with 


reference to accuracy, kappa statistic and evaluation time. The simulation results indicate that the packet IAT 
features for online P2P classification decrease accuracy and Kappa statistic, and also increase evaluation 


time. 


These results because IAT morphing usually involves alternation on direction pattern and depend on 


different network locations. The acknowledgment section is optional. The funding source of the research can 
be put here. 
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